2IW81 Final Examination Software Specification and Architecture

Mathematics and Computer Science Eindhoven University of Technology

April 15, 2014, 9:00-12:00

Note: It is not allowed to use study material, lecture notes, computers, calculators or mobile phones during the examination.

You should indicate your answers in the exam form itself. Should you require additional pa-per, please ask the invigilator.

For your convenience summary of Event-B syntax is included as an appendix to this exam.

!!

Part I (40 points) Answer the following multiple-choice questions. Each question might have multiple correct answers; you should encircle all of them in the exam text below. For each question you get

• 2 points if all correct answers have been indicated and no incorrect answers have been indicated;

• 1 point if some correct answers have been missed but no incorrect answers have been indicated;

• 0 points if at least one incorrect answer has been indicated.

!1) VEMUS, Virtual European Music School, was a big European project targeting dis-

tance music learning by designing a software system to support both music teachers and learners. Music pieces played by the learners are subject to evaluations both by teachers and by the automated systems. One of the requirements pertaining to the latter reads: “The system should allow for automatic performance evaluation”.

a. This requirement is specific.

b. This requirement is a functional requirement.

c. Quality attribute related to this requirement is performance.

d. This requirement records traceability information.

2) Use case descriptions commonly contain:

a. Trigger, associations, guarantee.

b. Precondition, generalizations, main scenario.

c. Precondition, main scenario, alternative scenarios.

d. Aggregation, composition, generalization.

3) In an e-commerce application the customers have an option of checking the status of their orders. To check the status of an order customer should be logged in. Use case diagram describing this situation contains two use cases, Login and CheckOrderSta-tus, and

a. a dashed arrow from Login to CheckOrderStatus with a stereotype <<inclu-de>>

b. a dashed arrow from Login to CheckOrderStatus with a stereotype <<extend>>

c. a dashed arrow from CheckOrderStatus to Login with a stereotype <<inclu-de>>

d. a dashed arrow from CheckOrderStatus to Login with a stereotype <<extend>>

4) Identify correct statements about activity diagrams:

a. Activity diagrams have only one ActivityFinal marker ! and may have mul-tiple FlowFinal markers ! .

b. If an ExpansionRegion is present, it should have at least one FlowFinal mar-ker ! .

c. InterruptibleActivityRegion is indicated using the rake symbol !

d. Pins represent input/output parameters.

!5) Consider the following diagram

!

What state would be reached after the following sequence of events: e1, e2, e3, e4, e6?

a. S111

b. S112 or S113 depending on the value of the guard p

c. S121

d. S122

!

6) Which of the following notations indicate(s) that interface I is provided by class P?

!

7) Which statements hold for the following diagram

!

a. One flight can be assigned only to zero or one planes.

b. One flight can be assigned to any number of planes.

c. One plane can be assigned only to zero or one flights.

d. One plane can be assigned to any number of flights.!8) Which one(s) of the following sequence diagram fragments is consistent with the

class diagram fragment?

!

!

9) Identify correct statements pertaining to deployment diagrams:

a. Artefacts are physical elements of the system such as devices and execution environments.

b. Artefacts: information items produced during software development or when operating the system.

c. Manifestation maps artefacts to components, use cases, classes, compo-nents, packages.

d. Manifestation maps components, use cases, classes, components to arte-facts.

10) Inspect the following diagram: some messages are incorrect. Identify them:

a. m1

b. m2

c. m3

d. m6

!

!

11) See the diagram below. What is the maximum number of instances of D that can be connected to one instance of A?

!

a. 12

b. 0

c. 30

d. 35

12) In a timing diagram…

a. horizontal lines indicate instantaneous change of a state;

b. a timing ruler should always be present;

c. time constraint {t1..t2} notation indicates that the event takes place between t1 and t2;

d. multiple timelines might be present.

!

13) Choose informal description that corresponds to the following Event-B specification

!

a. A user is authorized to engage in several activities. Each activity takes place in a specific room.

b. A user is authorized to engage in several activities. Activities take place in rooms.

c. Activities take place in rooms. All users are located in rooms.

d. Each user is authorized to engage in only one activity. Users can be located in rooms.

14) Consider the following fragment of an Event-B specification:

! !

! Here “⇒” denotes implication. The verification of this specification fails. Choose the guard that should be added to the event “EnterRoom” to guarantee verification of this specification.

a. grd3 : ∀act · room � act ∈ takeplace ⇒ user � act ∈ authorised

b. grd3 : user � room ∈ location

c. grd3 : takeplace[{room}] ⊆ authorized[{user}]

d. grd3 : room � act ∈ takeplace ∧ user � act ∈ authorized

!

15) [Rozanski and Woods] Company C, an established financial organization, wishes to expand its presence on the Internet with the ability to market a range of financial ser-vices to members of the public. These services are aimed at residents of the country where Company C is based, as well as some international customers. Company C plans to contract out the development and operation of the system to an established Web developer.

a. Assessors of the system are staff from the Web development company.

b. Assessors of the system include senior managers who will authorize funding for the project.

c. Assessors of the system include Company C’s internal accounting and legal staff, as well as external financial regulators from any country in which Com-pany C wants to trade.

d. Assessors of the system include ordinary members of the public, who will ac-cess the public-facing Web site, along with internal administrative staff, who will carry out its back-office functions.

16) Kruchten’s 4+1 process view

a. covers aspects related to the concurrency viewpoint of Taylor, Medvidović and Dashofy;

b. covers aspects related to the operational viewpoint of Rozanski and Woods;

c. can be represented by a UML component diagram;

d. is a viewpoint in terms of the ISO/IEC/IEEE 42010 standard.

!

17) Consider the following variability model.

!

Which combinations of mobile phones’ features are allowed by this model?

a. GPS, Basic screen, Calls

b. Basic screen, High resolution screen, Calls, MP3

c. GPS, Color screen, Calls, Camera

d. High resolution screen, Calls, Camera

18) Indicate true statements pertaining to the Model-View-Controller architectural pattern

a. Model corresponds to a Boundary class

b. Model can change without involving Controller

c. Model-View-Controller enforces event-driven behavior

d. Model-View-Controller supports only one View per Model.

!

19) Which architectural style is represented by the following diagram? Circular figure on the right represents both the visualization tool and the visualization obtained.

!

a. Layered style

b. Pipes and filters style

c. Blackboard style

d. Mobile code style

!20) The Gnutella protocol is an open decentralized group membership and search proto-

col. Gnutella has been designed to operate in a dynamic environment, where hosts can join and leave the network frequently. Furthermore, Gnutella is expected to be scalable and reliable, i.e., external attacks should not cause significant data or per-formance loss. Which one of the following architectural styles would you apply if you have been designing Gnutella?

a. Peer-to-peer

b. Mobile code

c. Client-server

d. Blackboard

!!

!!

!

Part II (60 points) !Part II contains five modeling exercises, by solving each one of them you can earn up to 15 points. You should solve four exercises out of five. Please read all the exercises first, choose the ones you are most confident in to work on, and work on those exercises. If you solve all five exercises, we will only grade the four exercises you have solved first.

!!

1. [15 points] Design a variability model corresponding to the following description by Hundt, Mehner, Pfeiffer and Sokenou (2007).

“The security component is intended to provide access control by user au-thentication and authorization. A user management stores login names and passwords.

Authentication is the minimal function required for access control. If only au-thentication is requested, the authenticated user has complete access to the application. The minimal requirement for authentication is the login feature. Login is carried out either through a user interface or through operating sys-tem user identification. An optional logout feature supports to explicitly log out from the system. After logout, a new user or the same must be able to re-lo-gin. Optionally, a timeout is available to logout a user automatically after a configurable time span has elapsed without user interaction. Logout and ti-meout are not supported if login is realized by operating system user identifi-cation.

Authorization is dependent on authentication. For authorization, it is assumed that access restrictions for each user can be specified. Authorization is sup-posed to cover business objects containing data (per value) but also work flows (per work flow) or certain operations (per operation). Different access rights and different user roles are distinguished.”

!!

!!

2. [15 points] Suppose we are developing a non-web-based information system. This software will be used to collect and process data about certain entities. The require-ments on the user interface are not completely clear. We would like to minimize the risks regarding these requirements by splitting each interface into frames. We have two types of interfaces:

• data-entry interfaces: consist of two frames. The main frame displays existing data items in a data-grid. By selecting an item from this data-grid, the second frame will display a detailed view of the item and will allow the user to edit/remove the item. After making a change in the second frame, this change should be re-flected immediately in the main frame.

• information display interfaces: consist of several frames. Each frame offers a dif-ferent representation for the same data items, e.g., spreadsheet, pie chart, bar chart.

Which architectural patterns/styles would be useful in this situation?

What components of the system would you associate with each part of the chosen architectural patterns/styles?

How would you address the problems in this description by applying these patterns/styles?

!!

3. [15 points] Consider the following ATM system.

The ATM system allows clients to work with bank accounts. To use the ATM a client has to perform authentication. After authentication has been performed, the client gets access to the accounts that he/she is assigned to. The client can perform the following operations with his/her accounts:

• withdraw money from his/her account;

• transfer money from his/her account to any other account;

• deposit money in his/her account;

• stop working with the ATM and with his/her accounts.

The balance variable defines the amount of money stored on accounts. There are two types of accounts: debit and credit. Balance of a debit account must be greater than or equal to zero. Balance of a credit account can be negative, but must not ex-ceed a predefined maximum credit sum.

Money is stored on accounts in different currency. There are four types of currency available: Dollar, Euro, Rupee, and Yuan. The exchange rate defines the rate at which one currency will be exchanged for another when withdrawing, transferring, or depositing money of different currency.

!Compose an Event-B specification of this ATM system. Use the following Event-B specification as an initial version (here the specification is not split into the context and the machine for the sake of brevity):

!

! Authentication

ANY client WHERE … THEN …

END Transfer

ANY source, destination, amount WHERE … THEN … END

Deposit ANY destination, amount WHERE … THEN … END

Withdraw ANY source, amount WHERE … THEN … END

Stop WHERE … THEN … END

END !Add guards (WHERE-section) and actions (THEN-section) to the listed events to specify the ATM functionality. Specify types of the proposed parameters in the guards of the events. Ensure that the invariants hold after each of these events is executed. Add necessary variables, invariants and guards to describe debit/credit types of ac-counts. Add necessary sets, constants, axioms, variables, invariants, parameters and guards to describe currencies and exchange of currencies.

!!

4. [15 points] Give a class diagram that models the domain of the card game Klondi-ke. Give only classes, associations, and multiplicities. No attributes or methods requi-red.

!Klondike is a solitaire game where part of the cards are initially placed on the table in a harp shape, the so-called tableau (see picture). The rest of the cards are placed face down in the deck pile and one by one turned over and either added to the ta-bleau or to the discard pile. Cards have a rank and a suit. During the game, four suit piles are built (in the top right of the picture), one for each suit.

!

!

!!

5. [15 points] Consider the following required functionality of an online DVD shop:

!Customers should be able to search for DVDs by Title and Category (some examples of categories are: Series, Movies, Music). Once they find a product they like, they can add a DVD to their shopping cart. This requires that they are logged in, therefore if they do not yet have an account, they should be able to create one. When creating an account, a username and password should be chosen, and optionally, they can enter their home address and/or the credit card information they want to use for paying. Credit card information consists of the name on the credit card, the credit card company, the credit card number, and the expiration date.

!They can add as many DVDs to the shopping cart as they want, and they can also remove DVDs. If they decide at some point to check out the shopping cart, then they are asked to check the shipping address and credit card information supplied, and if either of those was not supplied, they are asked to supply it. Next, they can review the contents of the shopping cart, and if they agree, they can send the order. Then, the credit card information is sent to the bank, and, if approved, the order is finalised. If the information was not approved, then the customer is made aware of this, so he/she can change the payment option.

!A delivery agent can check the status of online orders, and process an order, mea-ning that it changes its status from “pending” to “delivered”.

!Finally, the administrator is responsible for the DVD inventory. She can check the current inventory, order new DVDs from the supplier, and add DVDs to the inventory.

!a. Create a UML Use Case Diagram for the online DVD shop. In addition, give a de-tailed description (pre-condition, trigger, guarantee, main scenario,…) of the use case for “check out shopping cart”.

!b. Based on your use case description of “check out shopping cart”, create a UML Sequence Diagram.

!c. Create a UML Activity Diagram to depict the business process for processing a DVD order. There are three parties involved in processing an order: Shipping, Online Sales, and Accounting. The process starts when Online Sales receives an order for DVDs from a user. To complete the order, the store needs to charge the credit card and deliver the DVDs. To charge the card, Online Sales sends the credit card infor-mation to Accounting, who will then validate and process the credit card. To deliver the DVDs, Shipping will first fill the order, then prepare the package, and finally deli-ver it. Once the DVDs are delivered and the credit card is charged, the order is clo-sed.

!

This page has been intentionally left blank

!

A Concise Summary of the Event-B mathematical toolkit

1

Each construct will be given in its presentation form, as displayed in the Rodin toolkit, followed by the ASCII formthat is used for input to Rodin.

In the following: P , Q and R denote predicates;x and y denote single variables;z denotes a single or comma-separated list of variables;p denotes a pattern of variables, possibly including 7! and parentheses;S and T denote set expressions;U denotes a set of sets;m and n denote integer expressions;f and g denote functions;r denotes a relation;E and F denote expressions;E,F is a recursive pattern, ie it matches e1, e2 and also e1, e2, e3 . . . ; similarly for x, y;

Freeness: The meta-predicate ¬free(z, E) means that none of the variables in z occur free in E. This meta-predicate is defined recursively on the structure of E, but that will not be done here explicitly. The base casesare: ¬free(z, 8z · P )Q), ¬free(z, 9z · P ^Q), ¬free(z, {z · P | F}), ¬free(z,�z · P |E), and free(z, z).

In the following the statement that P must constrain z means that the type of z must be at least inferrable fromP .

In the following, parentheses are used to show syntactic structure; they may of course be omitted when there isno confusion.

Note: Event-B has a formal syntax and this summary does not attempt to describe that syntax. What itattempts to do is to explain Event-B constructs. Some words like expression collide with the formal syntax.Where a syntactical entity is intended the word will appear in italics, e.g. expression, predicate.

1 Predicates

1. False ? false

2. True > true

3. Conjunction: P ^Q P & Q

Left associative.

4. Disjunction: P _Q P or Q

Left associative.

5. Implication: P )Q P => Q

Non-associative: this means that P)Q)R mustbe parenthesised or an error will be diagnosed.

6. Equivalence: P ,Q P <=> Q .P () Q = P )Q ^Q) P

Non-associative: this means that P,Q,R mustbe parenthesised or an error will be diagnosed.

7. Negation: ¬P not P

8. Universal quantification:8z ·P )Q !z.P => Q

Strictly, 8z ·P , but usually an implication.For all values of z, satisfying P , Q is satisfied.The types of z must be inferrable from the predi-cate P .

9. Existential quantification:9z ·P ^Q #z.P & Q

Strictly, 9z ·P , but usually a conjunction.There exist values of z, satisfying P , that satisfyQ.The type of z must be inferrable from the predicateP .

10. Equality: E = F E = F

11. Inequality: E 6= F E /= F

2 Sets

1. Singleton set: {E} {E}

2. Set enumeration: {E,F} {E, F}See note on the pattern E,F at top of summary.

3. Empty set: ? {}

4. Set comprehension: { z ·P | F } { z . P | F }General form: the set of all values of F for allvalues of z that satisfy the predicate P . P mustconstrain the variables in z.

5. Set comprehension: { F | P } { F | P }Special form: the set of all values of F that sat-isfy the predicate P . In this case the set of boundvariables z are all the free variables in F .{ F | P } = { z ·P | F }, where z is all the variablesin F .

6. Set comprehension: { x | P } { x | P }A special case of item 5: the set of all values of xthat satisfy the predicate P .{ x | P } = { x·P | x }

7. Union: S [ T S \/ T

8. Intersection: S \ T S /\ T

9. Di↵erence: S \ T S \ T

S\T = {x | x 2 S ^ x /2 T}

10. Ordered pair: E 7! F E |-> F .E 7! F 6= (E,F )Left associative.In all places where an ordered pair is required,

1Version January 23, 2014

c�1996-2014 Ken Robinson

1

E 7! F must be used. E,F will not be ac-cepted as an ordered pair, it is always a list.{x, y ·P | x 7! y} illustrates the di↵erent usage.

11. Cartesian product: S ⇥ T S ** T

S ⇥ T = {x 7! y | x 2 S ^ y 2 T}Left-associative.

12. Powerset: P(S) POW(S)

P(S) = {s | s ✓ S}

13. Non-empty subsets: P1(S) POW1(S)

P1(S) = P(S)\{?}

14. Cardinality: card(S) card(S)

Defined only for finite(S).

15. Generalized union: union(U) union(U)

The union of all the elements of U .8U ·U 2 P(P(S)))union(U) = {x | x 2 S ^ 9s·s 2 U ^ x 2 s}where ¬free(x, s, U)

16. Generalized intersection: inter(U) inter(U)

The intersection of all the elements of U .U 6= ?,8U ·U 2 P(P(S)))inter(U) = {x | x 2 S ^ 8s·s 2 U ) x 2 s}where ¬free(x, s, U)

17. Quantified union:

[z ·P | S UNION z.P | S

P must constrain the variables in z.8z ·P ) S ✓ T )[(z ·P | E) = {x | x 2 T ^ 9z ·P ^ x 2 S}where ¬free(x, z, T ), ¬free(x, P ), ¬free(x, S),¬free(x, z)

18. Quantified intersection:

\z ·P | S INTER z.P | S

P must constrain the variables in z,{z | P} 6= ?,(8z ·(P ) S ✓ T )))\z ·P | S = {x | x 2 T ^ (8z ·P ) x 2 S)}where ¬free(x, z), ¬free(x, T ), ¬free(x, P ),¬free(x, S).

2.1 Set predicates

1. Set membership: E 2 S E : S

2. Set non-membership: E /2 S E /: S

3. Subset: S ✓ T S <: T

4. Not a subset: S 6✓ T S /<: T

5. Proper subset: S ⇢ T S <<: T

6. Not a proper subset: s 6⇢ t S /<<: T

7. Finite set: finite(S) finite(S)

finite(S), S is finite.

8. Partition: partition(S, x, y) partition(S,x,y)

x and y partition the set S, ie S = x[y^x\y = ?Specialised use for enumerated sets:partition(S, {A}, {B}, {C}).S = {A,B,C} ^A 6= B ^B 6= C ^ C 6= A

3 BOOL and bool

BOOL is the enumerated set: {FALSE,TRUE}and bool is defined on a predicate P as follows:

1. P is provable: bool(P ) = TRUE

2. ¬P is provable: bool(P ) = FALSE

4 Numbers

The following is based on the set of integers, the set ofnatural numbers (non-negative integers), and the set ofpositive (non-zero) natural numbers.

1. The set of integer numbers: Z INT

2. The set of natural numbers: N NAT

3. The set of positive natural numbers: N1 NAT1

N1 = N\{0}

4. Minimum: min(S) min(S)

S ⇢ Z and finite(S) or S must have a lower bound.

5. Maximum: max(S) max(S)

S ⇢ Z and finite(S) or S must have an upperbound.

6. Sum: m+ n m + n

7. Di↵erence: m� n m - n

n m

8. Product: m⇥ n m * n

9. Quotient: m/n m / n

n 6= 0

10. Remainder: mmod n m mod n

n 6= 0

11. Interval: m .. n m .. n

m .. n = { i | m i ^ i n }

4.1 Number predicates

1. Greater: m > n m > n

2. Less: m < n m < n

3. Greater or equal: m � n m >= n

4. Less or equal: m n m <= n

5 Relations

A relation is a set of ordered pairs; a many to manymapping.

1. Relations: S $ T S <-> T

S $ T = P(S ⇥ T )Associativity: relations are right associative:r 2 X $ Y $ Z = r 2 X $ (Y $ Z).

2. Domain: dom(r) dom(r)

8r ·r 2 S $ T )dom(r) = {x·(9y ·x 7! y 2 r)}

3. Range: ran(r) ran(r)

8r ·r 2 S $ T )ran(r) = {y ·(9x·x 7! y 2 r)}

2

4. Total relation:S $ T S <<-> T

if r 2 S $ T then dom(r) = S

5. Surjective relation:S$! T S <->> T

if r 2 S$! T then ran(r) = T

6. Total surjective relation:S$$ T S <<->> T

if r 2 S$$ T then dom(r) = S and ran(r) = T

7. Forward composition: p ; q p ; q

8p, q ·p 2 S$ T ^ q 2 T $ U )p ; q = {x 7! y | (9z ·x 7! z 2 p ^ z 7! y 2 q)}

8. Backward composition: p � q p circ q

p � q = q ; p

9. Identity: id id

S � id = {x 7! x | x 2 S}.id is generic and the set S is inferred from thecontext.

10. Domain restriction: S � r S <| r

S � r = {x 7! y | x 7! y 2 r ^ x 2 S}.

11. Domain subtraction: S �� r S <<| r

S �� r = {x 7! y | x 7! y 2 r ^ x /2 S}.

12. Range restriction: r ⇤ T r |> T

r ⇤ T = {x 7! y | x 7! y 2 r ^ y 2 T}.

13. Range subtraction: r ⇤� T r |>> T

r ⇤� T = {x 7! y | y 2 r ^ y /2 T}.

14. Inverse: r�1 r~

r

�1 = {y 7! x | x 7! y 2 r}.

15. Relational image: r[S] r[S]

r[S] = {y | 9x·x 2 S ^ x 7! y 2 r}.

16. Overriding: r1 �� r2 r1 <+ r2

r1 �� r2 = r2 [ (dom(r2)�� r1).

17. Direct product: p⌦ q p >< q

p⌦ q = {x 7! (y 7! z) | x 7! y 2 p ^ x 7! z 2 q)}.

18. Parallel product: p k q p || q

p k q = {x, y,m, n·x 7! m 2 p ^ y 7! n 2 q | (x 7!y) 7! (m 7! n)}.

19. Projection: prj1 prj1

prj1 is generic.(S ⇥ T )� prj1 = {(x 7! y) 7! x | x 7! y 2 S ⇥ T}.

20. Projection: prj2 prj2

prj2 is generic.(S ⇥ T )� prj2 = {(x 7! y) 7! y | x 7! y 2 S ⇥ T}.

5.1 Iteration and Closure

Iteration and closure are important functions on rela-tions that are not currently part of the kernel Event-Blanguage. They can be defined in a Context, but notpolymorphically.

Note: iteration and irreflexive closure will be imple-mented in a proposed extension of the mathematicallanguage. The operators will be non-associative.

1. Iteration: rn r^n

r 2 S$ S) r

0 = S � id^rn+1 = r ; rn.Note: to avoid inconsistency S should be the fi-nite base set for r, ie the smallest set for which allr 2 S$ S.Could be defined as a function iterate(r 7! n).

2. Reflexive Closure: r⇤ r^⇤r

⇤ = [n·(n 2 N | rn).Could be defined as a function rclosure(r).Note: r0 ✓ r

⇤.

3. Irreflexive Closure: r+ r^+

r

+ = [n·(n 2 N1 | rn).Could be defined as a function iclosure(r).Note: r

0 6✓ r

+ by default, but may be presentdepending on r.

5.2 Functions

A function is a relation with the restriction that eachelement of the domain is related to a unique element inthe range; a many to one mapping.

1. Partial functions: S 7! T S +-> T

S 7! T = {r ·r 2 S$ T ^ r

�1 ; r ✓ T � id}.

2. Total functions: S! T S --> T

S! T = {f ·f 2 S 7! T ^ dom(f) = S}.

3. Partial injections: S 7⇢ T S >+> T

S 7⇢ T = {f ·f 2 S 7! T ^ f

�1 2 T 7! S}.One-to-one relations.

4. Total injections: S ⇢ T S >-> T

S ⇢ T = S 7⇢ T \ S! T .

5. Partial surjections: S 7⇣ T S +->> T

S 7⇣ T = {f ·f 2 S 7! T ^ ran(f) = T}.Onto relations.

6. Total surjections: S ⇣ T S -->> T

S ⇣ T = S 7⇣ T \ S! T .

7. Bijections: S ⇢⇣ T S >->> T

S ⇢⇣ T = S ⇢ T \ S ⇣ T .One-to-one and onto relations.

8. Lambda abstraction:(�p·P | E) (%p.P|E)

P must constrain the variables in p.(�p·P | E) = {z ·P | p 7! E}, where z is a list ofvariables that appear in the pattern p.

9. Function application: f(E) f(E)

E 7! y 2 f ) E 2 dom(f) ^ f 2 X 7! Y , wheretype(f) = P(X ⇥ Y ).Note: in Event-B, relations and functions onlyever have one argument, but that argument may

be a pair or tuple, hence f(E 7! F ) f(E |-> F)

f(E,F ) is never valid.

6 Models

1. Contexts: contain sets and constants used byother contexts or machines.

3

CONTEXT IdentifierEXTENDS Machine IdentifiersSETS IdentifiersCONSTANTS IdentifiersAXIOMS PredicatesEND

Note: theorems can be presented in the AXIOMSpart of a context.

2. Machines: contain events.

MACHINE IdentifierREFINES Machine IdentifiersSEES Context IdentifiersVARIABLES IdentifiersINVARIANT PredicatesVARIANT ExpressionEVENTS EventsEND

Note: theorems can be presented in the INVARI-ANT section of a machine and the WHERE partof an event.

6.1 Events

Event nameREFINES Event identifiersANY IdentifiersWHERE PredicatesWITH WitnessesTHEN ActionsEND

There is one distinguished event named INITIALISA-TION used to initialise the variables of a machine, thusestablishing the invariant.

6.2 Actions

Actions are used to change the state of a machine. Theremay be multiple actions, but they take e↵ect concur-rently, that is, in parallel. The semantics of events aredefined in terms of substitutions. The substitution [G]Pdefines a predicate obtained by replacing the values ofthe variables in P according to the action G. Generalsubstitutions are not available in the Event-B language.

Note on concurrency: any single variable can be mod-ified in at most one action, otherwise the e↵ect of theactions would, in general, be inconsistent.

1. skip, the null action:skip denotes the empty set of actions for an event.

2. Simple assignment action: z := E x := E

:= = “becomes equal to”: replace free occurrencesof x by E.

3. Choice from set: x :2 S x :: S

:2 = “becomes in”: arbitrarily choose a value fromthe set S.

4. Choice by predicate: z :| P z :| P

:| = “becomes such that”: arbitrarily choose val-ues for the variable in z that satisfy the predicateP . Within P , x refers to the value of the variablex before the action and x

0 refers to the value ofthe variable after the action.

5. Functional override: f(x) := E f(x) := E

Substitute the value E for the function/relation f

at the point x.This is a shorthand:f(x) := E = f := f �� {x 7! E}.

Acknowledgement: Jean-Raymond Abrial, Laurent Voisin and Ian Hayes have all given valuable feedback andcorrections at various stages of the evolution of this summary.

4